The ability of individual persons and organizations to protect confidential information has become increasingly important, and yet complicated, in today's society. The Internet has enabled interconnection of different computer networks all over the world. It provides a medium for sending electronic mail (i.e., email) between different users connected to different computer networks. Protecting confidential information has been made especially difficult due to an ever-changing array of social engineering tactics using the Internet, and particularly using email over the Internet. Social engineering includes any attempt to manipulate persons into divulging sensitive information (e.g., personal information, financial information, computer security data, work-related confidential information, etc.). Thus, social engineers rely on people, rather than computer security holes, to obtain sensitive information through mediums such as email, Internet, or phone.
Examples of social engineering tactics that rely on email include “phishing”, “spoofing”, and “pharming” scams. Phishing and spoofing include scams that combine social engineering tactics with email. Phishing includes the process of attempting to acquire information such as usernames, passwords, or financial information by masquerading as a legitimate and trustworthy entity in an electronic communication such as email. For example, an email may purport to be from a bank, a social website, or online payment processors. Such emails often direct recipients to enter sensitive information into a seemingly legitimate website that is actually a sham. Spoofing may occur when certain properties of an email message, such as the “FROM” field in the message header, have been altered to make it appear as if it came from a different source. Thus, the recipient may be tricked into believing that the email was sent from a legitimate source, and thereby, reveal sensitive information. Other social engineering schemes are continuously being devised with a common goal of using technology to manipulate users into divulging sensitive information. Security professionals and network administrators should attempt to manage social engineering tactics that make it difficult to distinguish between legitimate and bogus requests for information.